Chapter 20 IPSec VPN

Diffie-Hellman (DH) Key Exchange

The ZyWALL and the remote IPSec router use DH public-key cryptography to establish a shared secret. The shared secret is then used to generate encryption keys for the IKE SA and IPSec SA. In main mode, this is done in steps 3 and 4, as illustrated next.

Figure 188 IKE SA: Main Negotiation Mode, Steps 3 - 4: DH Key Exchange

Diffie-Hellman key exchange

3

X 4 Y

DH public-key cryptography is based on DH key groups. Each key group is a fixed number of bits long. The longer the key, the more secure the encryption, but also the longer it takes to encrypt and decrypt information. For example, DH2 keys (1024 bits) are more secure than DH1 keys (768 bits), but DH2 keys take longer to encrypt and decrypt.

Authentication

Before the ZyWALL and remote IPSec router establish an IKE SA, they have to verify each other’s identity. This process is based on pre-shared keys and router identities.

In main mode, the ZyWALL and remote IPSec router authenticate each other in steps 5 and 6, as illustrated below. The identities are also encrypted using the encryption algorithm and encryption key the ZyWALL and remote IPSec router selected in previous steps.

Figure 189 IKE SA: Main Negotiation Mode, Steps 5 - 6: Authentication (continued)

Step 5:

pre-shared key

ZyWALL identity, consisting of

-ID type

-content Step 6:

pre-shared key

Remote IPSec router identity, consisting of

-ID type

-content

5

X 6 Y

You have to create (and distribute) a pre-shared key. The ZyWALL and remote IPSec router use it in the authentication process, though it is not actually transmitted or exchanged.

 

307

ZyWALL 110/310/1100 Series User’s Guide